GAO 


United  States  General  Accounting  Office _ 

Report  to  Congressional  Requesters 


SOCIAL  SECURITY 
ADMINISTRATION 

Year  2000  Readiness 
Efforts  Helped  Ensure 
Century  Rollover  and 
Leap  Year  Success 


DISTRIBUTION  STATEMENT  A 

Approved  for  Public  Release 
Distribution  Unlimited 


<r  *  ★ 
★  ★ 
f  ★★★ 


20000421  043 


GAO 


Accountability  *  Integrity  *  Reliability 


GAO/AIMD-OO  125 


QDAUyy 


i 

^  G  A  O 

^^^^^^^^^A^ountabillty  *  Integrity  *  Reliability  _ _ _ _ _ _ _ 

United  States  General  Accounting  Office  Accounting  and  Information 

Washington,  D.C.  20548  Management  Division 


B-284973 
April  19,  2000 

The  Honorable  E.  Clay  Shaw,  Jr. 

Chairman,  Subcommittee  on  Social  Security 
Committee  on  Ways  and  Means 
House  of  Representatives 

The  Honorable  Charles  E.  Grassley 
Chairman,  Special  Committee  on  Aging 
United  States  Senate 

The  Social  Security  Administration  (SSA)  relies  extensively  on  information 
systems  to  support  the  processing  of  benefits  and  to  provide  various  other 
services  to  the  public.*  The  agency  maintains  and  operates  over  300 
mission-critical  computer  systems  supported  by  over  35  million  lines  of  in- 
house  developed  computer  code  and  hundreds  of  commercial  off-the-shelf 
vendor  products.  Because  of  its  heavy  reliance  on  computers,  the  Year  2000 
problem  presented  SSA  with  the  enormous  challenge  of  reviewing  all  of  its 
computer  software  and  making  the  conversions  required  to  ensure  that  its 
systems  could  handle  the  first  change  to  a  new  century  since  the  computer 
age  began. 

Since  1997,  we  have  conducted  various  reviews  and  issued  five  reports  and 
testimony  statements  on  SSAs  efforts  to  ensure  its  readiness  for  the  year 
2000.^  Our  first  report,  in  October  1997,  noted  SSAs  early  initiatives  to 
address  the  challenge,  identified  critical  risks  that  threatened  the  success 


'The  Old  Age  Survivors  Insurance  and  Disability  Insurance  programs,  together  commonly 
known  as  Social  Security,  provide  benefits  to  retired  and  disabled  workers  and  their 
dependents  and  survivors.  The  Supplemental  Security  Income  program  provides  income  for 
aged,  blind,  or  disabled  individuals  with  limited  income  and  resources.  SSA  also  issues 
Social  Security  numbers  to  eligible  individuals  and  maintains  and  provides  earnings  records 
for  individuals  working  under  employment  covered  by  the  program. 

^Social  Security  Administration:  Significant  Progress  Made  in  Year  2000  Effort,  But  Key 
Risks  Remain  (GAO/AIMD-98-6.  October  22, 1997) ,  Social  Security  Administration: 
Information  Technology  Challenges  Facing  the  Commissioner  (GAO/T-AIMD-98-109, 

March  12,  1998) ,  Year  2000  Computing  Crisis:  Continuing  Risks  of  Disruption  to  Social 
Security,  Medicare,  and  Treasury  Programs  (GAO/T-AIMD-98-161,  May  7, 1998),  Ifear  2000 
Computing  Crisis:  Update  on  the  Readiness  of  the  Social  Security  Administration  (GAO/ 
T-AIMD-99-90,  February  24, 1999),  and  Social  Security  Administration:  Update  on  Year  2000 
and  Other  Key  Information  Technology  Initiatives  (GAO/T-AIMD-99-259,  July  29, 1999). 
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of  these  efforts,  and  recommended  actions  for  mitigating  the  risks.  Our 
most  recent  testimony  in  July  1999  updated  the  agency’s  progress  in 
implementing  our  recommendations  and  in  taking  other  critical  steps  to 
ensure  Year  2000  (Y2K)  compliance.  At  your  request,  this  report 
summarizes  our  review  of  SSA’s  final  actions  to  ensure  its  Year  2000 
readiness,  including  the  actions  it  took  during  the  rollover  period — 
December  30, 1999,  through  January  3,  2000,  as  well  as  for  the  February  29 
leap  year  date — to  ensure  a  successful  transition  to  the  new  century. 


Results  in  Brief 


Overall,  SSA  demonstrated  a  strong  and  consistent  commitment  to 
addressing  identified  concerns  about  its  Year  2000  program.  The  agency 
completed  all  of  the  critical  tasks  involved  in  ensuring  its  readiness  prior  to 
the  change  of  century  and  experienced  only  minor  problems  during  the 
rollover  weekend.  For  those  problems  that  did  occur,  SSA  now  reports  that 
all  have  been  mitigated  by  correcting  the  systems  involved.  Moreover, 
according  to  SSA,  none  of  the  problems  encountered  during  the  rollover 
weekend  adversely  affected  its  ability  to  serve  the  public.  SSA  further 
reported  that  its  systems  processed  data  without  incident  during  the 
February  29  leap  year  date,  another  potential  date  for  disruptions. 

Like  other  organizations,  SSA  must  still  consider  the  possibility  that 
additional  challenges  associated  with  the  year  2000  could  occur.  There  may 
continue  to  be  minor  problems  along  the  way  as  organizations  process  data 
and  transactions  in  the  future,  such  as  during  quarterly,  end-of-year,  or 
other  critical  periods.  While  SSAs  success  so  far  is  a  very  positive  indicator 
that  any  potential  hurdles  will  also  be  overcome,  the  agency  nonetheless 
must  continue  its  diligence  in  anticipating  and  responding  to  any  problems 
that  occur.  Further,  it  will  be  especially  important  for  SSA  to  consider  how 
practices  that  it  applied  in  addressing  the  Year  2000  problem  can  now  be 
used  to  help  ensure  the  effective  management  of  its  broader  information 
technology  program.  SSA  agreed  that  such  action  should  be  taken,  and  the 
Commissioner  stated  that  the  agency  had  already  begun  to  apply  lessons 
learned  from  its  Y2K  experiences. 


Background 


Federal  agencies  faced  the  potential  for  critical  computer  system  failures  at 
the  turn  of  the  century  due  to  incorrect  information  processing  relating  to 
dates.  This  problem  was  rooted  in  how  dates  were  recorded  and  processed 
in  computer  systems.  Specifically,  for  the  past  several  decades,  systems 
typically  used  two  digits  to  represent  the  year — such  as  “97”  for  1997;  in 
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such  a  format,  however,  2000  is  indistinguishable  from  1900.  Hence,  a 
beneficiary  born  in  1925  and  therefore  turning  75  in  2000  could  be  seen  as 
being  negative  25  years  old  (if  “now”  is  1900)— not  even  born  yet— and 
therefore  ineligible  for  benefits  that  the  individual  had  already  been 
receiving. 

Correcting  this  problem  was  an  enormous  challenge  for  all  agencies,  since 
many  of  the  government’s  computer  systems  were  developed  20  to  25  years 
ago,  used  a  wide  array  of  computer  languages,  and  lacked  full 
documentation.  Complete  and  thorough  Year  2000  testing  was  essential  to 
providing  reasonable  assurance  that  new  or  modified  systems  could 
process  dates  correctly  and  would  not  jeopardize  an  organization’s  ability 
to  perform  core  business  operations  in  the  new  millennium.  This  included 
testing  systems  and  operations  at  the  century  rollover  and  during  the 
February  29,  2000,  leap  year  date. 

As  we  previously  reported,^  SSA  first  recognized  the  potential  impact  of  the 
Year  2000  problem  in  1989,  and  therefore  was  able  to  launch  an  early 
response  to  this  challenge.  It  initiated  early  awareness  activities  and  made 
significant  early  progress  in  assessing  and  renovating  mission-critical 
mainframe  systems  that  enable  it  to  provide  Social  Security  benefits  and 
other  public  assistance.  Moreover,  the  agency  continued  to  make  excellent 
progress  on  the  Year  2000  problem  throughout  the  decade.  Because  of  the 
knowledge  and  experience  gained  through  its  efforts,  SSA  was  consistently 
recognized  as  a  federal  leader  in  addressing  the  Year  2000  issue. 

Like  many  other  organizations,  SSA  faced  a  number  of  challenges  to 
ensuring  its  readiness.  Our  1997  report  identified  three  key  risk  areas  in  the 
agency’s  Year  2000  program:  (1)  compliance  of  mission-critical  systems 
used  by  the  54  state  Disability  Determination  Services  (DDS)  that  help  SSA 
administer  its  disability  programs,  (2)  compliance  of  SSA’s  data  exchanges 
with  outside  sources,  such  as  other  federal  agencies,  state  agencies,  and 
private  businesses,  and  (3)  SSA’s  lack  of  contingency  plans  to  ensure 
business  continuity  in  the  event  of  systems  failures.  As  a  result  of  these 
risks,  we  recommended  several  actions  for  improving  SSA’s  Year  2000 
vulnerability  in  these  areas.  SSA  agreed  with  all  of  our  recommendations, 
and  took  a  number  of  important  actions  to  implement  them. 


^GAO/AIMD-98-6,  October  22, 1997. 
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Our  July  1999  testimony  noted  SSA’s  progress  in  implementing  our 
recommendations  and  identified  other  vital  steps  that  the  agency  had  taken 
to  help  ensure  its  preparedness  for  the  year  2000.  For  example,  SSA 
established  a  Y2K  test  facility  for  its  operating  systems,  vendor  products, 
and  mission-critical  systems.  In  addition,  to  ensure  the  delivery  of  benefits 
payments,  SSA  worked  jointly  with  the  Department  of  the  Treasury’s 
Financial  Management  Service  and  the  Federal  Reserve  System  to  test  the 
transfer  of  electronic  benefits  payments  from  Treasury  to  the  Federal 
Reserve  through  the  Automated  Clearinghouse  network.  SSA  also 
coordinated  with  the  U.S.  Postal  Service  to  help  ensure  the  delivery  of 
benefits  checks. 

While  SSA  had  made  significant  progress  on  its  Year  2000  efforts,  our 
testimony,  nonetheless,  emphasized  the  need  for  SSA  to  finalize  certain 
tasks  integral  to  ensuring  its  overall  readiness  for  the  year  2000.  For 
example,  although  SSA  had  developed  contingency  plans  to  support  its 
core  business  operations,  it  still  needed  to  finalize  testing  of  those  plans 
and  implement  its  Day  One  strategy,  consisting  of  actions  to  be  executed 
during  the  last  days  of  1999  and  the  first  few  days  of  2000. 


Objective,  Scope,  and 
Methodology 


The  objective  of  our  review  was  to  assess  SSA’s  efforts  to  finalize  critical 
tasks  required  to  ensure  its  Year  2000  readiness,  including  the  actions  that 
it  took  during  the  century  rollover  period  and  the  February  29  leap  year 
date  to  address  Year  2000-induced  disruptions.  To  meet  this  objective,  we 
reviewed  and  analyzed  key  Year  2000  compliance  documents,  including 
quality  assurance  status  reports  and  monthly  and  quarterly  progress 
reports  submitted  to  Congress  and  the  Office  of  Management  and  Budget 
(0MB).  We  also  reviewed  SSA’s  contingency  planning  documents,  including 
its  Day  One  strategy.  Further,  as  part  of  observing  the  rollover,  we 
inspected  SSA’s  Year  2000  command  center  capabilities  and  reviewed  SSA’s 
Year  2000  incident  reports.  We  used  our  Year  2000  guides  in  evaluating 
SSA’s  readiness  activities.^ 


*Year2000  Computing  Crisis:  An  Assessment  Guide  (GAO/AlMD-10.1.14,  September  1997), 
year  2000  Computing  Crisis:  Business  Continuity  and  Contingency  Planning  (GAO/ 
AIMD-10.1.19,  August  1998),  Year  2000  Computing  Crisis:  A  Testing  Guide  (GAO/ 
AIMD-10.1.21,  November  1998),  and  Y2K  Computing  Challenge:  Day  One  Planning  and 
Operations  Guide  (GAO/AIMD-10.1.22.  October  1999). 
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We  discussed  SSA’s  Year  2000  program  activities  with  officials  in  various 
headquarters  offices,  including  the  offices  of  the  deputy  commissioners  for 
systems;  operations;  and  finance,  assessment,  and  management.  We  also 
met  with  management  and  staff  at  SSA’s  program  service  center  in 
Birmingham,  Alabama,  and  at  its  field  office  in  Tucker,  Georgia.  In  addition, 
we  interviewed  Year  2000  program  officials  at  the  state  DDS  office  in 
Decatur,  Georgia.  We  discussed  the  nature  and  extent  of  rollover  and  leap 
year  disruptions  with  SSA’s  Year  2000  program  director  and  other 
appropriate  personnel. 

We  conducted  our  review  from  August  1999  through  March  2000,  in 
accordance  with  generally  accepted  government  auditing  standards.  The 
Commissioner  of  Social  Security  provided  comments  on  a  draft  of  this 
report.  These  comments  are  discussed  in  the  “Agency  Comments”  section 
and  are  reprinted  in  appendix  I. 


SSA  Completed  Critical  Following  our  July  1999  testimony,  SSA  took  a  number  of  important  steps 
„  i  ^  to  ensure  that  its  Year  2000  tasks  were  successfully  completed  prior  to  the 

laSKS  to  JinSUre  Year  century  rollover.  We  had  noted  that  while  SSA  was  making  excellent 

2000  Readiness  progress  on  the  Year  2000  problem,  it  had  not  completed  certain  tasks  that 

were  critical  to  ensuring  its  overall  readiness.  These  tasks  included 
(1)  conducting  specific  actions  required  to  finalize  its  Year  2000  business 
continuity  and  contingency  plans  and  (2)  correcting  date-field  errors 
identified  through  a  quality  assurance  process  that  the  agency  implemented 
to  reduce  Year  2000  risks. 


SSA  Completed  Year  2000 
Business  Continuity  and 
Contingency  Plans 


Among  SSA’s  most  important  responsibilities  in  the  months  leading  up  to 
the  new  century  was  completing  certain  tasks  required  to  ensure  the 
effectiveness  of  its  Year  2000  business  continuity  and  contingency  plans, 
and  coordinating  with  its  own  staff  and  business  partners  to  ensure  the 
timely  functioning  of  its  core  business  operations.  This  included 
coordinating  with  its  benefits  delivery  partners  on  contingency  actions  for 
ensuring  timely  benefits  payments,  and  completing  various  tests  of  the 
plans  to  ensure  their  viability  and  usefulness  in  the  event  of  a  systems 
failure. 


To  ensure  that  Social  Security  and  other  benefits  would  continue  to  be  paid 
at  the  turn  of  the  century,  SSA  assisted  Treasury  in  establishing  a  number  of 
payment-related  contingencies.  These  included  developing  alternative 
disbursement  processes  for  financial  institutions  that  experience  Y2K 
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disruptions  and  arranging  to  provide  third-party  emergency  payments  to 
beneficiaries.  In  addition,  SSA  worked  with  the  U.S.  Postal  Service  to 
ensure  that  paper  checks  would  be  delivered  on  time. 

SSA  also  conducted  extensive  testing  of  its  business  continuity  and 
contingency  plans  to  evaluate  whether  individual  contingency  plans  were 
capable  of  providing  the  level  of  support  needed  to  the  agency’s  core 
business  processes  and  whether  the  plans  could  be  implemented  within  a 
specified  period.  To  accomplish  this,  SSA  rehearsed  its  contingency  plans 
at  selected  field  offices.  These  tests  involved,  for  example,  using  paper 
forms,  rather  than  computers,  to  process  Social  Security  and  Supplemental 
Security  Income  workloads.  SSA  relied  on  the  test  results  to  determine 
what  resources  were  required  to  carry  out  specific  contingency  tasks  and 
to  familiarize  staff  with  the  required  tasks  prior  to  the  rollover  weekend. 
SSA  completed  testing  its  business  continuity  and  contingency  plans  by 
September  30, 1999. 

A  critical  feature  of  SSAs  contingency  planning  was  the  development  and 
implementation  of  a  Day  One  strategy  to  guide  its  rollover  activities.  SSA 
included  this  strategy  in  its  overall  business  continuity  and  contingency 
plan  to  ensure,  to  the  extent  possible,  that  its  facilities  and  systems  would 
be  fully  operational  on  January  3,  2000 — the  first  business  day  of  the  new 
century.  The  strategy  comprised  the  comprehensive  set  of  actions  that 
were  to  be  executed  during  the  last  days  of  1999  and  the  first  days  of  2000 
and  the  activities  leading  up  to  the  critical  century  rollover  date,  such  as 
the  identification  of  key  personnel  involved,  preparation  of  facilities 
checklists,  establishment  of  a  Year  2000  command  center,  and  the 
identification  of  computer  systems  to  be  tested. 

To  ensure  that  its  Day  One  strategy  would  be  effective,  in  September  1999, 
SSA  conducted  simulations  of  potential  infrastructure  problems  that  could 
affect  its  operations  (for  example,  telephone,  electric  power,  and  water 
outages;  security  system  failures;  and  the  lack  of  mainframe  computer 
connectivity) .  Designated  personnel  in  selected  SSA  offices  used  the  Day 
One  strategy  as  a  guide  for  mitigating  the  problems  encountered  during  the 
simulations.  Lessons  learned  from  the  simulations  became  the  basis  for 
revising  the  Day  One  strategy  and  for  better  informing  SSA’s  personnel  of 
the  critical  activities  that  could  be  involved  in  ensuring  continued 
operations  during  the  rollover  and  beyond. 


Page  6 


GAO/AIMD-00-125  SSA  Year  2000  Readiness  Efforts 


B-284973 


SSA  Corrected  Date-Field 
Errors  Identified  Through 
Its  Quality  Assurance 
Process 


Our  July  1999  testimony  noted  that  SSA  had  instituted  a  change 
management  process  to  help  reduce  the  risk  of  Year  2000  disruptions.  One 
of  the  key  components  of  the  change  management  process  was  the  use  of  a 
quality  assurance  validation  tool  that  allowed  SSA  to  assess  the  quality  of 
its  previously  renovated  mission-critical  applications.®  Specifically,  this  tool 
searched  application  programs  to  identify  any  date  defects  that  were 
introduced  into  systems  after  they  were  already  certified  Year  2000 
compliant.  SSA  then  corrected  and  recertified  the  applications  before 
returning  them  to  production. 

SSA  applied  the  validation  tool  to  all  compatible  (284  of  its  308)  mission- 
critical  applications.®  At  the  time  of  our  testimony,  SSA  had  assessed  about 
92  percent  of  those  applications  and  had  identified  more  than  1,500  date- 
field  errors.  However,  only  about  44  applications  had  actually  been 
corrected,  recertified,  and  returned  to  production.  SSA  subsequently  made 
the  necessary  corrections  to  these  applications,  and  in  December  1999 
recertified  all  of  its  compatible  applications  as  having  no  errors. 


SSA  Readiness  Actions 
Helped  Ensure  General 
Rollover  Success 


SSA  encountered  few  Year  2000-related  errors  in  its  transition  to  the  new 
century,  reporting  that  the  Year  2000  problem  had  no  effect  on  its  business 
operations  or  the  delivery  of  its  key  services.  SSA’s  early  awareness  of  the 
Year  2000  problem  and  its  prompt  attention  to  addressing  identified  Year 
2000  risks  helped  position  it  to  successfully  meet  this  challenge.  SSA 
enhanced  its  readiness  by  using  the  rollover  weekend  to  identify  and, 
where  necessary,  correct  errors  before  any  problems  could  result  in 
operational  consequences. 


In  guidance  on  planning  for  the  rollover  period,^  we  stated  that 
organizations  should  activate  coordination/command  center  (s),  conduct 
facility  inspections,  and  perform  postrollover  tests,  evaluations,  and 


*The  two  other  components  of  this  change  management  process  were  (1)  system 
recertifications  and  (2)  a  moratorium  on  discretionary  software  modifications  between 
September  1,  1999,  and  March  31, 2000. 

^According  to  SSA,  10  of  the  308  applications  were  not  tested  because  they  were 
incompatible  with  the  tool;  13  applications  were  not  tested  because  they  are  no  longer  in 
use  (for  example,  obsolete,  retired,  or  replaced);  and  one  because  it  is  no  longer  a  part  of 
SSA’s  inventory 

^GAO/AIMD-10.1.22,  October  1999. 


Page  7 


GAO/AIMD-00-125  SSA  Year  2000  Readiness  Efforts 


B-284973 


assessments  of  key  business  processes  and  supporting  systems.  Consistent 
with  this  guidance,  SSA  established  several  centralized  centers  of  activity 
to  operate  during  the  rollover  weekend.  Foremost  was  the  agency’s  Year 
2000  Command  Center,  located  in  its  National  Computer  Center  in 
Baltimore,  Maryland.  The  command  center  served  as  the  focal  point  for 
monitoring  all  of  the  agency’s  Day  One  activities  and  for  providing  direct 
access  to  the  most  current  updates  on  SSA’s  Year  2000  status.  The  center 
was  staffed  with  key  representatives  from  various  offices  throughout  SSA. 
These  included  the  office  of  the  deputy  commissioner  for  systems,  as  well 
as  the  offices  of  the  deputy  commissioners  for  operations;  finance, 
assessment  and  management:  disability  and  income  security  programs; 
communications;  and  legislative  and  congressional  affairs. 

SSA’s  rollover  activities  began  on  December  30,  1999,  and  continued 
through  January  3,  2000.  During  this  period,  designated  personnel 
throughout  the  agency  were  tasked  with  inspecting,  evaluating,  and 
reporting  on  virtually  every  one  of  SSA’s  offices.  This  included  assessing 
infrastructure  elements  such  as  electric  power,  telephones,  and  elevators, 
and  monitoring  the  agency’s  local  area  network  operations  and  the  status 
of  on-line  and  batch  production  workloads.  Coordination  and  reporting  on 
the  overall  health  of  the  agency’s  equipment  and  software  were  facilitated 
by  the  use  of  various  existing  tools,  including  the  Internet,  Intranet, 
telephones,  and  public  television.  SSA  communicated  (via  a  dedicated 
terminal)  with  the  federal  Information  Coordination  Center  in  Washington, 
D.C.,  on  the  status  of  operations  during  the  rollover  period.® 

Overall,  SSA  Identified  three  problems  related  to  Y2K,  but  its  Year  2000 
project  team  considered  each  to  be  minor,  and  reported  that  SSA  was  able 
to  correct  them  with  no  impact  on  the  agency’s  processing  capabilities.® 
Two  of  the  three  problems  involved  electronic  mail.  In  one  incident, 
electronic  messages  generated  during  the  rollover  weekend  were 
erroneously  dated  1900.  In  the  second  incident,  some  electronic  messages 
with  return  receipt  requests  contained  a  subject  line  that  displayed  an 


*The  President  created  the  Information  Coordination  Center  in  June  1999  to  assist  the  Chair 
of  the  President’s  Council  on  Year  2000  Conversion.  Under  its  umbrella,  the  federal 
government  implemented  a  large-scale  reporting  process  to  obtain  information  on  events 
occurring  during  the  rollover  weekend  from  major  federal  agencies,  states,  key  sectors  of 
the  economy,  and  foreign  countries. 

’Because  the  identified  problems  did  not  have  a  significant  impact  on  operations,  SSA  did 
not  report  them  to  the  Information  Coordination  Center. 
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incorrect  century.  SSA  stated  that  neither  problem  adversely  affected 
actual  e-mail  traffic.  Further,  SSA  reported,  it  corrected  the  first  problem 
on  January  3,  2000,  and  the  second  by  January  21,  2000,  using  a  vendor 
software  patch. 

In  a  third  incident,  SSA  encountered  a  problem  in  which  the  year  was  not 
fully  displayed  on  reports  produced  in  the  field  offices  to  alert  claims 
examiners  to  outstanding  actions.  Specifically,  the  display  date  did  not 
show  the  complete  year  due  to  the  suppression  of  one  of  the  zeros 
contained  in  the  year  2000.  As  with  the  previous  two  problems,  SSA  did  not 
consider  this  incident  to  be  significant,  and  reported  it  corrected  on 
January  15,  2000,  as  part  of  its  normal  monthly  software  maintenance 
activities. 


SSA  Did  Not  Encounter  Another  key  Year  2000-related  date  that  threatened  to  affect  SSA  was  leap 

Lean  Year  Difficulties  day— February  29,  2000.  A  failure  to  ensure  that  computer  systems  could 

^  recognize  this  date  raised  the  potential  that  applications  would  process 

data  incorrectly  by,  for  example,  miscalculating  the  number  of  days 
between  significant  dates  or  in  a  significant  time  frame  (for  example,  week, 
month,  quarter,  or  year).  SSA  had  anticipated  the  potential  impact  of  this 
date  and  had  included  it  among  the  agency’s  critical  processing  dates  that 
were  tested  for  Year  2000  compliance.  In  reporting  on  the  status  of  its  leap 
day  operations,  SSA  stated  that  the  agency  did  not  encounter  any  problems 
or  limitations  in  its  processing  capabilities  as  a  result  of  this  date. 


Year  2000  Practices 
Could  Help  Improve 
SSA’s  Management  of 
Information 
Technology 


For  many  federal  agencies,  the  threat  posed  by  the  Year  2000  problem  was 
a  much  needed  alert.  Because  of  the  urgency  of  the  issue,  agencies  could 
not  afford  to  carry  on  in  the  same  manner  that  had  resulted  in  over  a 
decade  of  poor  information  technology  planning  and  program 
management.  As  we  reported  in  October  1999,'"  the  Year  2000  problem  laid 
a  foundation  for  longer  term  improvements  in  the  way  the  federal 
government  views,  manages,  and  protects  computer  systems  supporting 
the  nation’s  critical  infrastructure.  Accordingly,  it  is  important  that 
agencies  institutionalize  the  processes  that  they  established  to  contend 
with  the  Year  2000  problem  so  that  future  information  technology 


"‘Critical  Infrastructure  Protection:  Comprehensive  Strategy  Can  Draw  on  Year  2000 
Experiences  (GAO/AIMD-00-1,  October  1, 1999). 
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initiatives  benefit  from  this  massive  effort.  Lessons  learned  from  the  Year 
2000  challenge  should  be  applied  to  agencies’  implementation  of  the 
Clinger-Cohen  Act  of  1996  which,  in  part,  seeks  to  strengthen  executive 
leadership  in  information  management  and  institute  sound  capital 
investment  decision-making  to  maximize  the  return  on  information 
systems  investments.  As  we  recently  testified,"  among  the  lessons  learned 
governmentwide  were  the  importance  of 

•  providing  high-level  congressional  and  executive  branch  leadership, 

•  understanding  the  importance  of  computer-supported  operations, 

•  providing  standard  guidance, 

•  establishing  partnerships, 

•  facilitating  progress  and  monitoring  performance,  and 

•  implementing  fundamental  information  technology  improvements. 

As  part  of  its  Year  2000  program,  SSA  implemented  a  number  of  practices 
that  hold  valuable  lessons  about  how  information  technology  can  best  be 
managed.  It  will  be  essential  for  SSA  to  consider  how  these  practices  can 
be  used  to  help  ensure  effective  management  of  its  information  technology 
over  the  longer  term.  For  example,  as  a  leader  among  federal  agencies  in 
addressing  the  Year  2000  problem,  SSA  played  a  pivotal  role  in  energizing 
other  federal  agencies  to  meet  the  challenge.  SSA’s  assistant  deputy 
commissioner  for  systems  chaired  the  Chief  Information  Officers  Council’s 
Committee  on  the  Year  2000,  and  in  this  capacity,  helped  raise  awareness 
about  the  Y2K  threat  across  government  and  provide  valuable  assistance  to 
other  federal  agencies  in  addressing  the  problem.  For  example,  SSA  was 
instrumental  in  supporting  federal  agencies’  development  of  Day  One 
strategies,  which  were  necessary  to  reduce  the  risk  to  facilities,  systems, 
programs,  and  services  during  the  critical  rollover  period.  In  testifying  on 
the  Year  2000  problem  in  January  1999,'^  we  noted  that  SSA  had  developed 
such  a  strategy  and  encouraged  0MB  to  consider  requiring  other  agencies 
to  develop  similar  strategies.  0MB  agreed,  subsequently  requiring  agencies 
to  submit  Day  One  strategies  by  October  15, 1999.  SSA’s  strategy  became 
the  model  that  many  other  federal  agencies  and  private-sector 
organizations  used  in  developing  their  own  Day  One  blueprints. 


' '  year  2000  Computing  Challenge:  Leadership  and  Partnerships  Result  in  Limited  Rollover 
Disruptions  (GAO/T-AIMD-00-70,  January  27.  2000). 

year  2000  Computing  Crisis:  Readiness  Improving,  But  Much  Work  Remains  to  Avoid  Major 
Disruptions  (GAO/T-AIMD-99-50,  January  20, 1999). 
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As  SSA  proceeds  with  its  operations  in  the  new  century,  it  now  has  the 
opportunity  to  build  upon  its  position  as  a  proactive  Year  2000  leader, 
facilitating  more  effective  management  of  information  technology. 
Specifically,  in  undertaking  its  own  information  technology  planning  and 
program  management,  and  because  of  the  broad  range  of  technology- 
related  information  and  perspectives  gained  from  addressing  the  Year  2000 
problem,  SSA  should  be  better  positioned  to  explore  how  technology  can 
improve  agency  performance.  Further,  because  the  Year  2000  problem 
demanded  consistent  and  persistent  top  management  attention,  SSA’s 
leadership  should  now  have  a  more  established  basis  for  identifying, 
prioritizing,  and  evaluating  the  effectiveness  of  information  technology  to 
best  meet  the  agency’s  needs. 

The  Year  2000  problem  also  compelled  SSA  to  closely  examine  its 
relationships  with  business  partners  criticcil  to  the  delivery  of  its  services, 
especially  those  involving  the  payment  of  benefits.  As  mentioned,  SSA 
worked  closely  with  its  benefits  payment  delivery  partners — the 
Department  of  the  Treasury,  the  Federal  Reserve  System,  and  the  U.S. 
Postal  Service — to  ensure  the  continuity  of  operations  supporting  Social 
Security  and  Supplemental  Security  Income  benefits  payments.  SSA’s 
development  of  a  benefits  payment  and  delivery  plan  that  provided 
alternate  ways  of  delivering  payments  to  Social  Security  beneficiaries  in 
the  event  of  a  Year  2000-related  problem  was  an  example  of  how  the  agency 
effectively  partnered  with  Treasury  and  the  Federal  Reserve  to  meet  this 
challenge. 

As  organizations  increasingly  look  to  electronic  communications  and 
commerce  as  a  means  of  conducting  business,  the  need  for  partnerships 
among  federal  agencies  and  other  entities  is  likely  to  grow  in  importance. 
Electronic  interdependencies,  and  the  potentially  massive  exchanges  of 
data  that  are  likely  to  accompany  them,  prompt  an  increasing  need  for 
federal  agencies  and  private  entities  to  form  partnerships  to  deal  with 
crosscutting  issues,  such  as  Internet  service  delivery  and  computer 
security.  As  a  result  of  its  Year  2000  work,  SSA  should  now  have  an 
improved  basis  for  establishing  and  building  upon  its  partnerships  with 
other  organizations  to  meet  this  challenge. 

The  Year  2000  problem  resulted  in  many  agencies’  taking  charge  of  their 
information  technology  resources  in  much  more  active  ways  than  they  did 
in  the  past,  and  provided  them  with  the  incentive  and  opportunity  to 
assume  control  of  their  information  technology  environments.  SSA 
accomplished  this  in  part  by  implementing  its  Year  2000  quality  assurance 
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validation  tool  to  help  reduce  the  risk  of  disruption.  As  part  of  an 
established  series  of  change  management  procedures,  the  tool  enabled  SSA 
to  reexamine  all  of  its  previously  renovated  mission-critical  applications  to 
make  sure  that  date  defects  were  not  introduced  into  systems  that  were 
already  certified  Year  2000-compliant.  Beyond  the  Year  2000  rollover,  the 
tool  remains  useful  for  reducing  the  risk  of  date  problems  associated  with 
SSA’s  future  software  application  modifications.  SSA  has  recognized  this 
potential  benefit  and  has  begun  pilot  testing  the  tool  on  current  software 
projects  to  determine  the  best  approach  for  institutionalizing  the  quality 
assurance  mechanism  within  its  software  development  and  maintenance 
process. 

SSA’s  development  of  its  Year  2000  business  continuity  and  contingency 
plans  should  also  help  in  the  future.  In  the  event  that  an  emergency  occurs 
that  negatively  affects  the  agency’s  ability  to  perform  services 
electronically,  the  plan  contains  numerous  tested  procedures  that  could 
help  facilitate  SSA’s  continued  operations. 

At  the  conclusion  of  our  review,  the  Year  2000  program  director  stated  that, 
beyond  considering  broader  implementation  of  the  quality  assurance  tool, 
SSA  had  not  yet  undertaken  nor  established  a  plan  for  conducting  a 
postevaluation  study  of  its  Year  2000  practices.  However,  he  acknowledged 
the  potential  value  in  assessing  how  these  practices  can  be  applied  to  help 
SSA  effectively  manage  its  information  technology.  He  added  that  he 
intended  to  suggest  to  SSA  management  that  such  an  evaluation  be 
undertaken. 


Conclusions  Because  of  SSA’s  commitment  to  and  leadership  in  addressing  the  Year  2000 

problem,  it  was  well-positioned  to  enter  the  new  century,  encountering  few 
difficulties  during  the  rollover.  Now  that  the  new  century  has  arrived,  it  is 
important  that  SSA  maintain  this  momentum.  Institutionalizing  the 
practices  established  to  contend  with  the  Year  2000  problem,  such  as  use  of 
the  quality  assurance  validation  tool,  could  assist  SSA  in  more  effectively 
managing  its  information  technology. 


R  Pr  nm  m  pn  H  a  ti  on  S  To  help  ensure  the  effective  management  of  information  technology,  we 

recommend  that  the  Commissioner  of  Social  Security  direct  the  Chief 
Information  Officer,  in  conjunction  with  the  Deputy  Commissioner  for 
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Systems,  to  capitalize  on  the  lessons  learned  from  SSA’s  Year  2000  initiative 

by 

•  establishing  and  implementing  a  plan  and  cognizant  milestones  for 
identifying  which  of  its  processes  and  practices  can  be  applied  to  the 
agency’s  existing  approach  toward  managing  information  technology 
and 

•  institutionalizing  those  processes  and  practices  as  part  of  the  agency’s 
implementation  of  the  Clinger-Cohen  Act,  where  appropriate. 

Agency  Comments 

In  commenting  on  a  draft  of  this  report,  SSA  agreed  with  our 
recommendations  and  stated  that  the  agency  had  already  begun  to  apply 
lessons  learned  from  its  Year  2000  efforts.  For  example,  SSA  stated  that  its 
Year  2000  contingency  plans  have  been  incorporated  into  the  agency’s 
Continuity  of  Operations  Plans.  In  addition,  SSA  reiterated  that  it  has  begun 
to  pilot  test  the  quality  assurance  validation  tool  used  for  its  Year  2000 
program  to  determine  whether  it  can  help  effectively  manage  the  agency’s 
information  technology.  SSA  also  stated  that  it  plans  to  consider  applying 
the  lessons  learned  from  its  Year  2000  initiative  in  its  implementation  of  the 
Clinger-Cohen  Act. 

We  are  sending  copies  of  this  letter  to  the  Honorable  Kenneth  S.  Apfel, 
Commissioner  of  Social  Security;  the  Honorable  Jacob  J.  Lew,  Director  of 
the  Office  of  Management  and  Budget;  appropriate  congressional 
committees;  and  other  interested  parties.  Copies  will  also  be  made 
available  to  others  upon  request. 
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Please  contact  me  at  (202)  512-6253  or  by  e-mail  at 
willemssenJ.aimd@gao.gov  if  you  have  any  questions  concerning  this 
report.  Key  contributors  to  this  assignment  were  Michael  A.  Alexander, 
Kenneth  A.  Johnson,  and  Valerie  C.  Melvin. 


Joel  C.  Willemssen 

Director,  Civil  Agencies  Information  Systems 
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Comments  From  the  Social  Security 
Administration 


w 

SOCIAL  SECURITY 

Office  of  the  Commissioner 


March  30,  2000 


Mr.  Jeffrey  C.  Steinhoff 
Acting  Assistant  Comptroller  General 
U.S.  General  Accounting  Office 
Washington,  D.C.  20548 

Dear  Mr.  Steinhoff: 

Thank  you  for  the  opportunity  to  review  and  comment  on  the 
General  Accounting  Office  draft  report  Social  Security 
Administration:  Year  2000  Readiness  Efforts  Helped  Ensure 

Century  Rollover  and  Leap  Year  Success  (GAO/AIMD-00-125) . 

We  appreciate  the  recognition  in  the  draft  report  of  the  strong 
commitment  of  the  Social  Security  Administration  (SSA)  to  meet 
the  Year  2000  challenge.  Because  of  this  commitment,  the  Year 
2000  rollover  period  was  uneventful  for  us  and  there  was  no 
disruption  in  service  to  the  public. 

With  regard  to  the  recommendations  included  in  the  draft 
report,  we  agree  that  the  lessons  learned  from  our  successful 
Year  2000  effort  should  be  applied,  where  applicable,  to  other 
initiatives.  In  fact,  we  have  already  begun  to  do  so.  We  found 
the  contingency  plans  that  were  developed  as  part  of  the  Year 
2000  initiative  to  be  of  particular  value.  They  already  have 
been  incorporated  into  our  Continuity  of  Operations  Plans. 

In  addition,  we  have  begun  to  pilot  test  the  quality  assurance 
validation  tool  used  in  our  Year  2000  effort  to  see  if  it  can 
assist  us  to  more  effectively  manage  our  overall  information 
technology  initiatives.  As  for  applying  the  lessons  learned 
from  our  Year  2000  initiative  to  implementation  of  the 
Clinger-Cohen  Act,  we  certainly  will  consider  this  experience 
as  we  continue  to  conform  with  the  requirements  of  the  Act. 

If  you  have  any  questions,  your  staff  may  contact  Mark  Welch, 
on  (410)  965-0374. 


Sincerely, 

Kenneth  S.  Apfel 
Commissioner 

of  Social  Security 


SOCIAL  SECURITY  ADMINISTRATION  BALTIMORE  MD  21235-0001 


(511833) 


Page  16 


GAO/AIMD-00-125  SSA  Year  2000  Readiness  Efforts 


Ordering  Information 


To  Report  Fraud, 
Waste,  or  Abuse  in 
Federal  Programs 


The  first  copy  of  each  GAO  report  is  free.  Additional  copies  of 
reports  are  $2  each.  A  check  or  money  order  should  be  made  out  to 
the  Superintendent  of  Documents.  VISA  and  MasterCard  credit 
cards  are  accepted,  also. 

Orders  for  100  or  more  copies  to  be  mailed  to  a  single  address  are 
discounted  25  percent. 

Orders  by  mail: 

U.S.  General  Accounting  Office 
P.O.  Box  37050 
Washington,  DC  20013 

Orders  by  visiting: 

Room  1100 
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U.S.  General  Accounting  Office 
Washington,  DC 

Orders  by  phone: 

(202)  512-6000 
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TDD  (202)  512-2537 

Each  day,  GAO  issues  a  list  of  newly  available  reports  and 
testimony.  To  receive  facsimile  copies  of  the  daily  list  or  any  list 
from  the  past  30  days,  please  call  (202)  512-6000  using  a  touchtone 
phone.  A  recorded  menu  will  provide  information  on  how  to  obtain 
these  lists. 

Orders  by  Internet: 

For  information  on  how  to  access  GAO  reports  on  the  Internet, 
send  an  e-mail  message  with  “info”  in  the  body  to: 

info@www.gao.gov 

or  visit  GAO’s  World  Wide  Web  home  page  at: 
http://www.gao.gov 
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